[Samba] samba 4 and external dns(bind)

Fri Oct 18 14:08:06 MDT 2013

On 10/18/2013 03:04 PM, Taylor, Jonn wrote:
> On 10/18/2013 12:40 PM, Amaury Viera Hernández wrote:
>> On 10/18/2013 01:22 PM, Taylor, Jonn wrote:
>>> On 10/18/2013 10:34 AM, Amaury Viera Hernández wrote:
>>>> On 10/18/2013 10:23 AM, Taylor, Jonn wrote:
>>>>> On 10/18/2013 09:10 AM, Amaury Viera Hernández wrote:
>>>>>> Hi everyone,
>>>>>> I need to use samba 4 server, but I need to install a server with a
>>>>>> dns service(bind9.8) in other server.
>>>>>> Is that possible?
>>>>>> If yes, There is any documentation for it?
>>>>> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
>>>>>
>>>>> https://wiki.samba.org/index.php/Dns-backend_bind
>>>>>
>>>>
>>>> Well,
>>>> Yes, That's the tutorial for using bind with samba,
>>>> but if I use samba in the server01.domain.anything and I need to use
>>>> bind in the server02.domain.anything.
>>>> There are some steps in the tutorial that I can't understand, for
>>>> example:
>>>>
>>>>  Bind 9.8 / 9.9
>>>>
>>>> A DNS keytab file was automatically created during
>>>> provisioning/updating. Add the following' tkey-gssapi-keytab' option
>>>> to the 'options' section of your named.conf:
>>>>
>>>> options {
>>>>      [...]
>>>>      tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
>>>>      [...]
>>>> };
>>>>
>>>> Note that /usr/local/samba/private/dns.keytab is in other server
>>>>
>>>> and
>>>>
>>>> During provisioning/upgrading, a file
>>>> ('/usr/local/samba/private/named.conf') was created, that must be
>>>> included in your Bind named.conf:
>>>>
>>>> include "/usr/local/samba/private/named.conf";
>>>>
>>>> Note that: /usr/local/samba/private/named.conf is in other server
>>>>
>>>> Besides, the content of include "/usr/local/samba/private/named.conf";
>>>> is:
>>>> database "dlopen  ...  dlz_bind9.so" and this is in other server
>>>>
>>> Need a little more info on what you are trying to do. If the second
>>> server is a second domain controller the provision will create these for
>>> you when you join the domain. If you are running a file server that is
>>> part of domain you can setup bind and do zone transfers from the domain
>>> controller.
>>>
>>> If you need help with the setup let me know and I can post configs
>>> for you.
>>>
>>> Jonn
>>>
>>> ________________________________________________________________________________________________
>>>
>>>
>>> III Escuela Internacional de Invierno en la UCI del 17 al 28 de febrero
>>> del 2014. Ver www.uci.cu
>>
>> Well, Yes, is a domain controller with bind
>> The principal problem is that if I have a principal domain controller
>> (Active directory with dns OR samba4 + dns bind or internal dns) and
>> join samba4 as a domain controller,
>> This new samba4 does not use a dns server and yes, the data
>> replication works fine but:
>> When a transfer the five roles in active directory and demote the
>> principal domain controller(Active directory with dns OR samba4 + dns
>> bind or internal dns) the users that were using the principal active
>> directory domain controller can't login in this new domain controller,
>> but I think that the principal problem is that this new samba4 server
>> primary domain controller does not have a dns server.
>>
>> I don't speak english, Apologize me for it.
>> Regards, Amaury.
> Each samba4 AD server must have a dns server. When you you did the join
> if you did not specify that you wanted to use bind it will default to
> the internal one. This can be changed with out any problems. As for dns
> to the clients you need to make sure the dns they have point to both
> your AD servers. You will also need to make sure that your SOA records
> point to the new AD servers.
>
> One more thing, you need to copy your sysvol directory from the old
> server to the new one and the run "samba-tool ntacl sysvolreset" to get
> the permissions correct. Samba 4 does not replicate the sysvol as of yet.
>
> Jonn
>
> FYI... your written english is fine.

Well, I have been using the information located at:

http://wiki.samba.org/index.php/Samba4/HOWTO
https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC

https://wiki.samba.org/index.php/Dns-backend_bind
https://wiki.samba.org/index.php/Samba_4_OS_Requirements
https://wiki.samba.org/index.php/Build_Samba#Step_2:_Compile_Samba4
https://wiki.samba.org/index.php/Samba4/InitScript
https://wiki.samba.org/index.php/DNS_Administration

Everything works fine, and I'm very happy with all the tests, except for 
joining a Samba4 as a domain controller:

For beginning we need to join samba4 as a domain controller:

/usr/local/samba/bin/samba-tool domain join samdom.example.com DC 
-Uadministrator --realm=samdom.example.com -> for using internal dns as 
dns backend

OR

/usr/local/samba/bin/samba-tool domain join samdom.example.com DC 
-Uadministrator --realm=samdom.example.com --dns-backend=BIND9_DLZ -> 
for using bind as dns backend

And all the other things in this information works fine for me(the dns 
records creation and more, including the test replications).

The main problem is that:
If I use the internal dns as backend, When I try to connect me with de 
administration pack of windows(Windows XP), I get a message saying that 
there is not dns server(although the 53 port is running in the samba4 
server)

If I use the bind dns as backend, When I try to restart bind, i get an 
error in syslog that says that bind9 couldn't load the dlz driver.

I'm using ubuntu server 12.04 for samba4(testng 4.0.9 y 4.0.10).
Windows server 2003 for active directory
Admin pack administration of Windows XP for managing active directory 
and samba4

In both situations, I'm having troubles with the dns server and I have 
not idea about it

Regards, Amaury.
________________________________________________________________________________________________
III Escuela Internacional de Invierno en la UCI del 17 al 28 de febrero del 2014. Ver www.uci.cu